Open mpiscaer opened 2 years ago
Hey @mpiscaer thanks for reporting the issue. Apologies that it's taken me so long to get back to you. We have a weekly triage for new open issues, but at our last meeting no one had experience with CAA records so we had to punt until I had the chance to do some research. We're regrouping again tomorrow and I'll update with the result of that discussion.
For posterity, Boulder does validate against the CAA record: https://github.com/letsencrypt/boulder/issues/1231.
Following up - I'm going to brain dump our internal discussion here.
step-ca
is used as a private CA for private PKI. While Let's Encrypt and other public CAs should verify against CAA records, the expectations from private CAs may be different. We care deeply about what we've built and how it fits into the broader ecosystem. We also go out of our way to be standards compliant when we think it makes sense. But, there's enough nuance here that we don't think it makes sense in this case. Let us know what you think!
Just to bump this up a bit, CAA records (and specifically the RFC 8657 ACME-CAA extension) have come up in relation to a rather well publicized traffic interception attack:
https://notes.valdikss.org.ru/jabber.ru-mitm/ https://www.devever.net/~hl/xmpp-incident https://snikket.org/blog/on-the-jabber-ru-mitm/
What would you like to be added
For example the ACME validation process does not check for the CAA record of the Domain name
Why this is needed
To validate if the request is valid and authorized to make the request.